diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/Makefile b/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
index 62ecdd560314..e0a2f695de01 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
@@ -2,7 +2,7 @@
PORTNAME= pfSense-pkg-zabbix-agent
PORTVERSION= 0.8.9
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= net-mgmt
MASTER_SITES= # empty
DISTFILES= # empty
@@ -13,7 +13,7 @@ COMMENT= pfSense package zabbix-agent
LICENSE= ESF
-RUN_DEPENDS= ${LOCALBASE}/sbin/zabbix_agent:net-mgmt/zabbix22-agent
+RUN_DEPENDS= ${LOCALBASE}/sbin/zabbix_agentd:net-mgmt/zabbix3-agent
NO_BUILD= yes
NO_MTREE= yes
diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
index a918153bd46e..fbb0365348b9 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
@@ -32,11 +32,12 @@ require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
+require_once("certs.inc");
define('ZABBIX_AGENT_BASE', '/usr/local');
function php_deinstall_zabbix_agent_lts() {
- unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf");
+ unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix3/zabbix_agentd.conf");
unlink_if_exists("/var/log/zabbix-agent-lts/zabbix_agentd_lts.log");
unlink_if_exists("/var/run/zabbix-agent-lts/zabbix_agentd_lts.pid");
@@ -132,6 +133,45 @@ function sync_package_zabbix_agent_lts() {
$ListenIp = $zbagent_config['listenip'] ?: "0.0.0.0";
$ListenPort = $zbagent_config['listenport'] ?: "10050";
$TimeOut = $zbagent_config['timeout'] ?: "3";
+ $TLSConnect = $zbagent_config['tlsconnect'];
+ $TLSAccept = $zbagent_config['tlsaccept'] ?: "unencrypted";
+
+ if ($zbagent_config['tlscaso']) {
+ $TlsCAfile = "TLSCAFile=/usr/local/etc/ssl/cert.pem";
+ } else {
+ if ($zbagent_config['tlscafile'] != "none") {
+ $ca = lookup_ca($zbagent_config['tlscafile']);
+ zabbix_agent_add_keyfile($ca['crt'], "ca");
+ $TlsCAfile = "TLSCAFile=/usr/local/etc/zabbix3/zabbix_agentd.ca";
+ }
+ }
+
+ if ($zbagent_config['tlscrlfile'] != "none") {
+ $crl = lookup_crl($zbagent_config['tlscrlfile']);
+ crl_update($crl);
+ zabbix_agent_add_keyfile($crl['text'], "crl-verify");
+ $TlsCRLfile = "TLSCRLFile=/usr/local/etc/zabbix3/zabbix_agentd.crl-verify";
+ }
+
+ if ($zbagent_config['tlscertfile'] != "none") {
+ $cert = lookup_cert($zbagent_config['tlscertfile']);
+
+ zabbix_agent_add_keyfile($cert['crt'], "cert");
+ $TlsCERTfile = "TLSCertFile=/usr/local/etc/zabbix3/zabbix_agentd.cert";
+
+ zabbix_agent_add_keyfile($cert['prv'], "key");
+ $TlsKEYfile = "TLSKeyFile=/usr/local/etc/zabbix3/zabbix_agentd.key";
+ }
+
+ if (! empty($zbagent_config['tlspskidentity']) ) {
+ $TLSPSKIdentity = "TLSPSKIdentity={$zbagent_config['tlspskidentity']}";
+ }
+
+ if (! empty($zbagent_config['tlspskfile']) ) {
+ zabbix_agent_add_keyfile($zbagent_config['tlspskfile'], "psk");
+ $TLSPSKFile = "TLSPSKFile=/usr/local/etc/zabbix3/zabbix_agentd.psk";
+ }
+
$zbagent_conf_file = <<< EOF
Server={$zbagent_config['server']}
@@ -148,10 +188,18 @@ Timeout={$TimeOut}
BufferSend={$BufferSend}
BufferSize={$BufferSize}
StartAgents={$StartAgents}
+TLSConnect={$TLSConnect}
+TLSAccept={$TLSAccept}
+{$TlsCAfile}
+{$TlsCRLfile}
+{$TlsCERTfile}
+{$TlsKEYfile}
+{$TLSPSKIdentity}
+{$TLSPSKFile}
{$UserParams}
EOF;
- file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
+ file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix3/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
}
}
@@ -203,8 +251,8 @@ EOF;
// Check startup script files
// Create a few directories and ensure the sample files are in place
- if (!is_dir(ZABBIX_AGENT_BASE . "/etc/zabbix22")) {
- mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/zabbix22");
+ if (!is_dir(ZABBIX_AGENT_BASE . "/etc/zabbix3")) {
+ mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/zabbix3");
}
$dir_checks = <<< EOF
@@ -250,4 +298,14 @@ EOF;
conf_mount_ro();
}
+// Based on openvpn_add_keyfile() function
+function zabbix_agent_add_keyfile($data, $directive) {
+
+ $fpath = "/usr/local/etc/zabbix3/zabbix_agentd.{$directive}";
+
+ file_put_contents($fpath, base64_decode($data));
+ @chmod($fpath, 0600);
+ @chown($fpath, "zabbix");
+}
+
?>
diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
index ff70ae87c0b2..acd597031792 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
@@ -177,6 +177,107 @@
]]>
+
+ TLS-RELATED Parameters
+ listtopic
+
+
+ TLS Connect
+ tlsconnect
+
+
+ Only one value can be specified:
+ unencrypted - connect without encryption
+ psk - connect using TLS and a pre-shared key
+ cert - connect using TLS and a certificate
+ ]]>
+
+ select
+ unencrypted
+
+
+
+
+
+
+
+ TLS Accept
+ tlsaccept
+
+
+ Multiple values can be specified:
+ unencrypted - connect without encryption
+ psk - connect using TLS and a pre-shared key
+ cert - connect using TLS and a certificate
+ ]]>
+
+ select
+ unencrypted
+
+
+
+
+
+
+ 3
+
+
+ TLS CA
+ tlscafile
+ Top-level CA certificate for peer certificate verification.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS CA System
+ tlscaso
+ Use the CA certificate list from the operating system. This option overrides prior option.
+ checkbox
+
+
+ TLS CRL
+ tlscrlfile
+ List of revoked certificates.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS Cert
+ tlscertfile
+ Agent certificate.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS PSK Identity
+ tlspskidentity
+ Unique, case sensitive string used to identify the pre-shared key.
+ input
+ 60
+
+
+ TLS PSK
+ tlspskfile
+ base64
+ textarea
+ 5
+ 50
+
+
User Parameters
userparams
diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile b/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
index 5931bcc12ecc..873dfbd8790d 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
@@ -2,7 +2,7 @@
PORTNAME= pfSense-pkg-zabbix-proxy
PORTVERSION= 0.8.9
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= net-mgmt
MASTER_SITES= # empty
DISTFILES= # empty
@@ -13,7 +13,7 @@ COMMENT= pfSense package zabbix-proxy
LICENSE= ESF
-RUN_DEPENDS= ${LOCALBASE}/sbin/zabbix_proxy:net-mgmt/zabbix22-proxy
+RUN_DEPENDS= ${LOCALBASE}/sbin/zabbix_proxy:net-mgmt/zabbix3-proxy
NO_BUILD= yes
NO_MTREE= yes
diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
index d3a51388a3ac..8285e0634b95 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
@@ -32,11 +32,12 @@ require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
+require_once("certs.inc");
define('ZABBIX_PROXY_BASE', '/usr/local');
function php_deinstall_zabbix_proxy_lts() {
- unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy_lts.conf");
+ unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix3/zabbix_proxy_lts.conf");
unlink_if_exists("/var/log/zabbix-proxy-lts/zabbix_proxy_lts.log");
unlink_if_exists("/var/run/zabbix-proxy-lts/zabbix_proxy_lts.pid");
@@ -84,6 +85,44 @@ function sync_package_zabbix_proxy_lts() {
if ($zbproxy_config['proxyenabled'] == "on") {
$Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0);
$AdvancedParams = base64_decode($zbproxy_config['advancedparams']);
+ $TLSConnect = $zbproxy_config['tlsconnect'];
+ $TLSAccept = $zbproxy_config['tlsaccept'] ?: "unencrypted";
+
+ if ($zbproxy_config['tlscaso']) {
+ $TlsCAfile = "TLSCAFile=/usr/local/etc/ssl/cert.pem";
+ } else {
+ if ($zbproxy_config['tlscafile'] != "none") {
+ $ca = lookup_ca($zbproxy_config['tlscafile']);
+ zabbix_proxy_add_keyfile($ca['crt'], "ca");
+ $TlsCAfile = "TLSCAFile=/usr/local/etc/zabbix3/zabbix_proxy.ca";
+ }
+ }
+
+ if ($zbproxy_config['tlscrlfile'] != "none") {
+ $crl = lookup_crl($zbproxy_config['tlscrlfile']);
+ crl_update($crl);
+ zabbix_proxy_add_keyfile($crl['text'], "crl-verify");
+ $TlsCRLfile = "TLSCRLFile=/usr/local/etc/zabbix3/zabbix_proxy.crl-verify";
+ }
+
+ if ($zbproxy_config['tlscertfile'] != "none") {
+ $cert = lookup_cert($zbproxy_config['tlscertfile']);
+
+ zabbix_proxy_add_keyfile($cert['crt'], "cert");
+ $TlsCERTfile = "TLSCertFile=/usr/local/etc/zabbix3/zabbix_proxy.cert";
+
+ zabbix_proxy_add_keyfile($cert['prv'], "key");
+ $TlsKEYfile = "TLSKeyFile=/usr/local/etc/zabbix3/zabbix_proxy.key";
+ }
+
+ if (! empty($zbproxy_config['tlspskidentity']) ) {
+ $TLSPSKIdentity = "TLSPSKIdentity={$zbproxy_config['tlspskidentity']}";
+ }
+
+ if (! empty($zbproxy_config['tlspskfile']) ) {
+ zabbix_proxy_add_keyfile($zbproxy_config['tlspskfile'], "psk");
+ $TLSPSKFile = "TLSPSKFile=/usr/local/etc/zabbix3/zabbix_proxy.psk";
+ }
$zbproxy_conf_file = <<< EOF
Server={$zbproxy_config['server']}
@@ -98,10 +137,18 @@ FpingLocation=/usr/local/sbin/fping
# but if there was, the binary would likely also be in /usr/local/sbin.
Fping6Location=/usr/local/sbin/fping6
ProxyMode={$Mode}
+TLSConnect={$TLSConnect}
+TLSAccept={$TLSAccept}
+{$TlsCAfile}
+{$TlsCRLfile}
+{$TlsCERTfile}
+{$TlsKEYfile}
+{$TLSPSKIdentity}
+{$TLSPSKFile}
{$AdvancedParams}
EOF;
- file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
+ file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix3/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
}
}
@@ -153,8 +200,8 @@ EOF;
// Check startup script files
// Create a few directories and ensure the sample files are in place
- if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) {
- mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22");
+ if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix3")) {
+ mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix3");
}
$dir_checks = <<< EOF
@@ -218,4 +265,14 @@ EOF;
conf_mount_ro();
}
+// Based on openvpn_add_keyfile() function
+function zabbix_proxy_add_keyfile($data, $directive) {
+
+ $fpath = "/usr/local/etc/zabbix3/zabbix_proxy.{$directive}";
+
+ file_put_contents($fpath, base64_decode($data));
+ @chmod($fpath, 0600);
+ @chown($fpath, "zabbix");
+}
+
?>
diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
index f6b1621e5ce8..f33b62f61427 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
@@ -126,6 +126,107 @@
10
true
+
+ TLS-RELATED Parameters
+ listtopic
+
+
+ TLS Connect
+ tlsconnect
+
+
+ Only one value can be specified:
+ unencrypted - connect without encryption
+ psk - connect using TLS and a pre-shared key
+ cert - connect using TLS and a certificate
+ ]]>
+
+ select
+ unencrypted
+
+
+
+
+
+
+
+ TLS Accept
+ tlsaccept
+
+
+ Multiple values can be specified:
+ unencrypted - connect without encryption
+ psk - connect using TLS and a pre-shared key
+ cert - connect using TLS and a certificate
+ ]]>
+
+ select
+ unencrypted
+
+
+
+
+
+
+ 3
+
+
+ TLS CA
+ tlscafile
+ Top-level CA certificate for peer certificate verification.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS CA System
+ tlscaso
+ Use the CA certificate list from the operating system. This option overrides prior option.
+ checkbox
+
+
+ TLS CRL
+ tlscrlfile
+ List of revoked certificates.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS Cert
+ tlscertfile
+ Agent certificate.
+ select_source
+
+ descr
+ refid
+ none
+ none
+
+
+ TLS PSK Identity
+ tlspskidentity
+ Unique, case sensitive string used to identify the pre-shared key.
+ input
+ 60
+
+
+ TLS PSK
+ tlspskfile
+ base64
+ textarea
+ 5
+ 50
+
+
Advanced Parameters
advancedparams